stackoom
  简体   繁体   中英

Renaming Spring csrf token variable

 原文  2015-07-08 12:51:45       java/ spring/ spring-security/ csrf/ csrf-protection

Question

My application runs under another portal application. Both are implemented in spring and both use csrf security.

My need is basically change how the csrf token is named in the session, so both the tokens can work without conflicts. What I tried so far is creating another token repository and trying to change the parameter name and the session attribute name in the security config class. 

final HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
tokenRepository.setHeaderName("TOOLBIZ-CSRF-TOKEN");
tokenRepository.setParameterName("toolbiz_csfr");
//tokenRepository.setSessionAttributeName("toolbiz_csrf");

When I make request Spring doesn't really like this new setup very much, and the log produces the following line: 

Invalid CSRF token found

What should I do more? Am I missing something?

2 answers

solution1
 2  2015-07-08 13:00:51

This is what worked for me:- 

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class OptosoftWebfrontSecurity extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/assets/**").permitAll()
            .anyRequest().authenticated().and().formLogin().and()
            .httpBasic().disable()
            .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
            .csrf().csrfTokenRepository(csrfTokenRepository());
}

private CsrfTokenRepository csrfTokenRepository() {
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
    repository.setHeaderName("X-XSRF-TOKEN");
    repository.setParameterName("_csrf");
    return repository;
}

}

And the filter:- 

public class CsrfHeaderFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                .getName());
        if (csrf != null) {
            Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
            String token = csrf.getToken();
            if (cookie == null || token != null
                    && !token.equals(cookie.getValue())) {
                cookie = new Cookie("XSRF-TOKEN", token);
                cookie.setPath("/");
                response.addCookie(cookie);
            }
        }
        filterChain.doFilter(request, response);
    }
}

Did you override the WebSecurityConfigurerAdapter#configure method?

solution2
 0  2016-05-06 09:58:07

Please remember to delete any old cookies that you've got before renaming the Header. I had the same problem where everything was setup nicely, but old cookies in the browser caused the filter function to be useless basically.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring CSRF token life How can Spring add a new _csrf token to a session variable? Spring Security not creating CSRF token SPRING CSRF throws 405 despite CSRF token in request Spring security csrf disabled, still get an Invalid CSRF token found Spring Security 4 JTwig put CSRF token in forms Spring: Generate new csrf token programmatically How to enable CSRF token with Spring Boot Spring boot - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN' How does the spring internally validate the csrf token with _csrf parameter or X-CSRF-TOKEN header?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM